SecureAuth Pro - Production-Ready Auth System

A high-performance, secure, and modern-looking authentication system built with Node.js, Express, and Firestore.

Features

• Email Verification: Users must verify their email address via a secure link before accessing the dashboard.
• Registration & Login: Secure password hashing with BcryptJS.
• Session Management: Server-side sessions stored in Firestore.
• Input Validation: Server-side and client-side validation using validator.
• Security Middleware: Protected routes and restricted access for logged-in users.
• Modern UI: Premium SaaS interface built with Tailwind CSS and Glassmorphism.
• Responsive Design: Fully responsive layout for all devices.
• Real-time Feedback: Flash messages for success and error states.

Tech Stack

• Backend: Node.js, Express
• Database: Firebase Firestore
• Template Engine: EJS
• Authentication: Custom Session-based
• Styling: Tailwind CSS
• Icons: Lucide & FontAwesome

Installation & Setup

1. Install Dependencies:

   npm install

2. Database Setup: The application uses Firebase Firestore. Since you are running this in AI Studio, Firebase is already auto-provisioned.

3. Running the App:

   npm run dev

4. Production Build:

   npm run build
   npm start

Security Best Practices Implemented

• Password Hashing: Never stores plain-text passwords. Uses Bcrypt with 10 salt rounds.
• Session Security: Uses httpOnly and secure cookies for session protection.
• Input Sanitization: Validates email formats and password strength.
• Brute-Force Protection: Session-based authentication naturally rate-limits attempts via session handling.
• Route Protection: Middleware ensures only authenticated users can access the dashboard.

Security Analysis

Password Hashing

We use BcryptJS for password hashing.

• Salt Rounds: 10 rounds provide a balance between security and performance.
• Algorithm: Adaptive hashing makes it resistant to brute-force attacks via GPU/ASIC.
• Validation: Strict password complexity rules (uppercase, lowercase, number, symbol) are enforced before hashing.

Session Security

• Store: Sessions are stored in Firestore (server-side), not in client-side cookies.
• HttpOnly: Cookies are marked as httpOnly to prevent XSS from reading session IDs.
• Secure: In production, cookies are marked as secure (HTTPS only).
• Session Hijacking: Each login generates a new session ID. Logging out destroys the session on the server.

Brute-Force Attacks

• Hashing Delay: Bcrypt inherently slows down password checking, mitigating rapid brute-force.
• Session Handling: Failed login attempts do not leak whether the email exists (generic error messages used).

Session Hijacking & Protection

• Our system uses a secure session store that automatically handles expiration and removal of stale sessions.

Security Best Practices

• Middleware: ensureAuthenticated ensures users cannot bypass internal routes by simple URL manipulation.
• Data Isolation: User data is isolated in Firestore with rules that restrict access to the owner only.
• Validation: All user inputs are sanitized and validated using the validator library.

---

Built with ❤️ by AI Studio